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© improved variants of the flat-shamir Identification and signature schema. 

© A method of proving the Identify of an entity comprising the steps of establishing a public key for the entity 
consisting of a modulus n which is the product of at least two prime numbers, and a sequence of k numbers 

v .vu; computing a private key for the entity consisting of k numbers s s» satlfying s^, = 1 (mod n) for all 

isjfli, where d Is a universally known constant larger than 1; transmitting from the entity to a verifier (mod 
n) where r Is a random number In the range 0<r<n; transmitting from the verifier to the entity a sequence of k 
random numbers e t ....,e» in the range 0<er<d; transmitting from the entity to the verifier the value 



and verifying the Identity of the entity by checking that 

x-y d ft v H «j ( „od n). 
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IMPROVED VARIANTS OF THE FIAT-SHAMIR IDENTIFICATION AND SIGNATURE SCHEME 



FIELO OF INVENTION 

The present invention relates to a method and apparatus for implementing en Identification and 
signature scheme and, more particularly, relates to an Improvement to the method and apparatus disclosed 
s and claimed in. and Is a continuation-in-part of. U.S. Patent Application Serial No. 08/883.247 filed July 9. 
1986 in the name3 of Adi Shamir and Amos Rat 



SUMMARY OF INVENTION 

In the aforementioned parent patent application (to which we refer henceforth as the original Fiat-Shamir 
scheme), a method and apparatus are disclosed and claimed which enable an entity to generate proofs of 
identity and signatures of messages that everyone can verify but no one can forge; Compared to other 
schemes of this type (such as the RSA), the Rat-Shamir scheme is faster by one to two orders of 

js magnitude. In the present Invention disclosed and claimed In this patent application, two Improved variants 
of the Rat-Shamir scheme are described which are even faster. One variant uses small public values to 
optimize the verification procedure, and the other variant uses small secret values to optimize the 
generation procedure. To keep these variants secure and to fully exploit their Improved performance, some 
of the details of the original method and apparatus disclosed and claimed in the aforementioned parent 

20 patent application have been modified. In particular, the pubic key of an entity is no longer computed as a 
(unction of its Identity I, the quadratic expressions are generalized to d-th powers, and the execution of the 
protocol Is usually not iterated, but may be. 

Other and further objects and advantages of the present invention will be evident from the following 
detailed description taken In conjunction with the drawings. 



DESCRIPTION OF THE DRAWINGS 

Rgure 1 is a. schematic showing the novel method and apparatus for proving identity: and 
Rgure 2 Is a schematic showing the novel method end apparatus for generating and verifying a 
signature to a message. 



OETAILEO DESCRIPTION OF A PREFERRED EMBODIMENT 

Referring now to the drawings, the basic structure of the new end improved variants ol the method and 
apparatus of the aforementioned parent patent application Is Illustrated in Figure 1 for a proof of Identity. As 
shown, an entity either selects or is given a public key. see block 10. consisting of a modulus n which Is the 
product of at least two prime numbers, and a sequence of k numbers vi.....v k . This public key can be stored 
40 in a public key directory, or sent to the verifier along with a trusted center's signature on It to establish Its 
authenticity. The entity computes a corresponding private key. block 12, consisting of numbers Si.....s» 
satisfying sfy- 1 < mod n ) ,or 8,1 1s i sk ' wn8re d b 50019 universal| y known constant larger than 1. 

Accordingly, the Identification technique proceeds as follows. 

To prove his. hers or its identity, (he entity chooses a random r In the range 0<r<n. block 14, and sends 
4S x = r* (mod n) to the verifier, block 16 and line 18. where It Is received by the verifier, block 20. Upon 
receipt of x, line 22, the verifier chooses k random numbers e I ,.-.ei, In the range 0Se,<d, block 24. and 

sends them to the prover. line 26. The prover, In response to receipt of e, e„. block 28. computes and 

sends 

so * 

y=r 1 1 s-» e j (nod n) 

.ir1 J 



to the verifier, block 32. line 34. Une 38 sends the s, values from block 12 to block 32. The verifier upon 
2 
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receipt of y value in block 38. via line 40. computes In block 42 the value 
ydTTV^j ( n od n) . 

This value is sent via line 44 to block 46 where it is compared with the value x. via line 48. The result is 
passed by line 50 to block 52 where the judgment Is made. The verifier accepts the proof of Identity in 
block 54 If 



x-y d lj*vj e j (aod n) , 



and rejects the proof of Identity If this equality does not hold. 

The signature technique of the present invention Is schematically portrayed fn Figure 2. As shown, the 
identification scheme of Rgure 1 is turned into a signature scheme by using some publicly known 
cryptographlcally strong pseudo random function f which maps its inputs into a sequence of k numbers 

e = e- e* in the range OSe^d. block 70. To generate a signature for message m according to the present 

invention, first, a random r in the range 0<r<n is chosen. Then. e = f{r d (mod n). m) is computed in block 72. 
Next . 



y=rTTsj e j (nod n) 



is computed in block 74. The signature of m consists of e and y. These values are either stored or sent to 
the verifier where they are received in block 76. 

To verify the stored or transmitted signature, the verifier computes 



jg block 78. These values are compared with e. block 80. If equal, block B2. the signature is accepted as 
genuine and, if net the signature is rejected as a forgery. 

The best known arrack on these identification and signature techniques has a probability of success of 
d» per attempt. To make the Interactive identification protocol secure, it usually suffices to choose d" larger 
than or equal to 2 19 since a cheater has only one chance to forge a proof of identity. To make the non- 

M interactive signature technique secure against repeated attempts to forge a signature, d" should be at least 
2«\ This can be achieved either by using sufficiently large values of d arid k. or by Iterallngthe executions 
of these schemes t times and making sure that d lt "i2 ,i . In most applications, the first option Is recom- 
mended since It minimizes both the number of modular multiplications and the number of communicated 
bits. 

In the first variant of the present Invention, small v, values are used. In the preferred embodiment of this 
variant, d Is 2 or 3, and all the entitles choose the numbers v, as the first k primes v. =2, vj = 3. v» = 5. etc. 
Since the v, are universal, only the modulus n has to be specified In the public-key directory. In a typical 
implementation ol this variant with k = 84 numbers and 512 bit modulus, the size of each entry In the public- 
key directory is 64 bytes, and the size of each signature Is 72 bytes, which are comparable with those of 
„ the RSA signature scheme. The size of the private key Is about 4 kilobytes, but since each entity has to 
store only one 6uch file, It can fit into almost any microcomputer based device (with the possible exception 
of a smart card). With optimized implementations. It Is possible to generate proofs of Identity In less than 10 
modular multiplications and to generate signatures In less than 30 modular multiplications, which is the 
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same as in the original fiat- Shamir scheme. However, since multiplications by the small v, values (most of 
which fit in a single byte) have negligible complexity, the verification of Identities and signatures In this 
variant requires only 1 or 2 full-size modular multiplications. This Is an order of magnitude faster than in the 
• original Rat-Shamir scheme, and Is expected to take only tens of milliseconds on a standard mlcroproces- 

s sor and less than a millisecond on a mainframe computer. The high efficiency of verification can be crucial 
when a central computer has to verify many access requests or signed documents generated In thousands 
ol terminals, or when a remotely controlled robot has to verify in real tJme a stream of signed Instructions 
generated by a more powerful central computer. 

The Choice of exponent d depends on the relative importance of efficiency and convenience. When 

(0 d = 2. the scheme requires the fewest number of modular multiplications, but the square roots of the v t do 
not always exist It Is thus necessary to modify the scheme in one of the following ways. 

1. Each entity can choose Its own set of small v, values, making sure that all of them are quadratic 
residues modulo the entity's n. These vj's should be published In full in the public-key directory. 

2. Use a longer list of standard v ( values and each entity can choose a subset of k values which are 
is quadratic residues modulo its own n (when n Is the product of two primes, the universal list should contain 

about 4k numbers). The entity's chosen subset should be specified In the public-key directory or sent as 
part of the signature. 

3. Each entity is allowed to modify the standard v, which are quadratic non-residues. A particularly 
simple way to achieve this Is to pick a modulus n*pg where p «=3 (mod 8) and g =7 (mod 6). since then 

10 exactly one of v h -v,, 2v,. -2v ( Is a quadratic residue mod n for any v,. The appropriate Variant of each V| can 
be specified In the public-key directory, sent as part of the signature, or deduced by the verifier himself 
during the verification of given signatures. 

Alternatively, the entitles can use d= 3 and avoid all these complications. If the totient function of n Is 
26 not divisible by 3. then any v, value has a cubic root mod n. However, this choice of d requires an additional 
modular multiplication during the generation and the verification of signatures. 

The choice of the v ( as the first k primes In the preferred embodiment is based on the fact that large 
values can make the scheme less efficient, and multlplicativBly related values can make the scheme less 
secure. However, the v t can be chosen as any other sequence of k numbers, 
so As described In the parent Flat-Shamir application, there are many possible tradeoffs between the size 
of the keys, the number of communicated bits, and the number of modular multiplications. All the 
optimization Ideas described In the parent patent application are equally applicable to this variant 

In a second variant of the present invention, small $j values are used. In this variant, the entities can 
choose their own moduli n. or can use a universal modulus n published by a trusted center (the first option 
as Is more secure, while the second option reduces the size of the public key). Each entity chooses a 
sequence of small secret numbers si ...... and" computes the corresponding public numbers vi.....V|, as 




(mod n) 



(note that this computalion can be carried out even when the factorization of n Is unknown). Each s, should 
beat least 64 bits long to protect it from exhaustive search attacks, and the exponent d should be large 
enough to guarantee that s,*>n (e.g.. when |n| »S12 and |s,| -64. d'should be at least 16 to guarantee 

sufficient wraparound). The computed values of v .v k (and the entity's modulus n. If applicable) are 

placed In the public key directory. The actual generation and verification of proofs of Identity and signatures 
is carried out In the way specified above. The smell values of the sj have two beneficial effects. 
M 1. The size of the private key is much smaller than in the above version of the signature technique. 
To make d* = 2" for d = 1 8. It suffices to use k ■» 1 6 Instead of k = 64 s, values, and ihe size ol each s, Is 64 
bits Instead of 512 bits. The total size of the private key Is thus reduced by a lactor of 32. from 4086 bytes 
to 128 bytes. 

2. Signature generation becomes about 3 times faster since the multiplication by the smaller s, values 
ss is more efficient. 

Both properties are highly desirable when thB signature -generation process has to be carried out In a 
smart card with severe limitations on the available memory and computing power. 
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Known components can be used (or the apparatus of the present Invention as portrayed in Figure 1 and 
Figure 2. the means to carry out the several steps of the process being apparent to those skilled in the art 

Although the invention has been shown and described in terms of a specific preferred embodiment and 
variants, changes and modifications are possible which do not depart from the spirit, scope or contempia- 
s Hon of the inventive concepts disclosed herein. Such are deemed to fall within the purview of the Invention 
as claimed. 



Claims 

to 

1. A method of proving the identity of an entity comprising the steps of 

a) establishing a public key for the entity consisting of a modulus n which Is .the product of at least 
two prime numbers, and a sequence of k numbers v. .....v,,; 

b) computing a private key for the entity consisting of k numbers s s» satisfying sftal (mod n) 

is for all isjsk. where d Is e universally known constant larger than l; 

ci transmitting from the entity to a verifier x = r" (mod n) where r Is a random number in the range 0 < 

r < n: 

d) transmitting Irom the verifier to the entity a sequence of k random numbers e»,..„ei, in the range 
0Sej<d; 

20 e) transmitting from the entity to the verifier the value 

y=r7Tsj e j (nod n) ; 

ss 

0 verifying the Identity of the entity by checking that 



x =yd7T V4 e j (mod n) . 



2. A method' as claimed In claim 1 wherein steps c, d, e and f are repeated t times where ttl. 
m 3. A method as claimed in claim 1 wherein the v,'s are the same for all the entitles. . 

4. A method as claimed in claim 1 wherein the v,'s are the first k prime numbers. 

5. A method es claimed In claim 1 Including the further step of storing the modulus n and thB k 
numbers v t v t In a public key directory. 

. 6. A method as claimed in claim 1 Including the further step of transmitting the modulus n and the k 
numbers v, v k from the entity to the verifier along with a trusted center's signature on. this public key. 

7. A method as claimed In claim 3 including the further step of storing the modulus n In a public key 
directory. 

8. A method as claimed in claim 3 including the further step of transmitting the modulus n from the 
entity to the verifier along with a (rusted center's signature on this public key. 

« g. A method as claimed In claim 1 wherein d"t2 J0 . 

10. A method as claimed In claim 1 wherein d Is either 2 or 3. 

1 1 . A method as claimed in claim 1 wherein k is at least 20. 

12. A method as claimed in dalm 1 wherein n Is at least 512 bits long. 

13. A method as claimed In claim 1 wherein the secret key s ( s k Is chosen first and each vj Is then 

w computed as 

Vj = 1 (mod n) . 
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14. A method as claimed In claim 13 wherein all the entitles use the same modulus n which is chosen 
by a trusted center that keeps Its factorization secret. 

15. A method as claimed In claim 13 wherein the s, are chosen as random b bit numbers with tx|n| and 
Sj °> n for all iSJSk. 

16. A method of generating a signature for a message m comprising the steps ol 

a) establishing a public key for the entity consisting of a modulus n which Is the product of at least 
two prime numbers, and a sequence of k numbers v ( ....Vij 

b) computing a private key lor the entity consisting of k numbers s...-,s» satisfying 8| d r,= 1 (mod n) 
for all iS)Sk. where d Is a universally known constant larger than 1 ; 

c) agreeing on a common cryptographlcaily strong pseudo random function f which maps its inputs 
Into a sequence of k numbers e = ei....,e k in the range Oier<d; 

d) choosing a random number r in the range <Xr<n and computing e » < (r" <mod n). m) : 

e) computing 



0*1 3 



f) transmitting or storing e Bnd y as the entity's signature on m. 
17. A method of verifying a signature e.y lor a message m comprising the steps of 



f v j e 3 (mod n) , in) i 



b) accepting the signature as valid if and only if .these values are equal to e. 

18. A method as claimed in daim 16 wherein t21 random numbers ri,....r, are chosen In the range 

0<r,<n, e»e4 ej numbers in the range OSej < d are computed as e = f (r| (mod n)....J( (mod n). m) . t 

values y7.~.,yi are computed as 

Yi-ri.-TT Sj c j (nod n) , 



and e, y» y, are transmitted or stored as the.entit/s signature on m. 

fa. A method as claimed in claim 17 for verifying a signature e. yi y. generated by the method of 

claim 18 for a message m In which the signature Is accepted as verilTed if. and only if. 

fi-f (y, J Tr VJ «j (mod n) X^i 9 i (*od n) , m) . 

20. A method as claimed In claim 18 wherein the v,*s are the same lor all the entities. 

21. A method as claimed In claim 18 wherein the v,'e are the Hrst k prime numbers. 

22. A method as claimed In claim 18 including Ihe further step of storing the modulus n and the k 
numbers v t v, In a public key directory. 

23. A method as claimed In claim 18 Including the further step of Incorporating the modulus n. the k 

numbers v. v>. and a trusted center's signature on these values as part of the signature ol the message 

m. 

24. A method as claimed in claim 20 Including the further step of storing the modulus n in a public key 



6 
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25. A method as claimed in claim 20 including the further step of incorporating the modulus n and a 
trusted center's signature on it as part of the signature of the message m. 

26. A method as claimed in claim 18 wherein d"i2 J *. 

27. A method as claimed in claim 18 wherein d is either 2 or 3. 

28. A method as claimed in claim 18 wherein k is at least 64. 

29. A method as claimed in daim 18 wherein n Is at least 512 bits long. 

30. A method as claimed in claim 18 wherein the secret key Si s„ Is chosen first and each v, Is then 

computed as 

v< « 1 (mod n) . 



31. A method as claimed in claim 30 wherein all Ihe entities use the same modulus n which Is chosen 
by a trusted center that keeps Its factorization secret. 

32. A method as claimed in claim 30 wherein the sj are chosen as random b bit numbers wllh rx|n| and 
sj^n for all lijik. 

33. Apparatus for proving the identity of an entity comprising 

a) means for estabDshing a public key for the entity consisting of a modulus n which Is the product of 
at least two prime numbers, and a sequence of k numbers v t .....v*; 

b) means for computing a private key lor the entity consisting of k numbers s< s k satisfying S|*vj = 1 

(mod n) for all ISJSc. where d Is a universally known constant larger than 1; . 

c) means for transmitting from the entity to a verifier n-t* (mod n) where r Is a random number In 
the range 0<r<n; 

d) means for transmitting from the verifier to the entity a sequence of k random numbers e, e„ In 

the range 0ie,<d; 

e) means for transmitting from the entity to the verifier the value 

y»rTTsj e j (mod n) ; 

f) means for verifying the Identity of the entity by checking that 



x=y d TTv4 e j (mod n) . 



34. Apparatus as claimed In claim 33 Including means for repeating t times where ttl. the transmitting 
from the entity to a verifier x°i* (mod n) where r Is a random number In the range 0<r<n, the transmitting 
49 from the verifier to the entity of a sequence of k random numbers ei. ... e k In the range 0Ser<d. the 
transmitting from the entity to the verifier the value 



y=rTTsj e j (mod n) , 



and the verifying the Identity. 

35. Apparatus as claimed In claim 33 wherein the v/s are the same for all the entitles. 

36. Apparatus as claimed In claim 33 wherein the v t 's are the first k prime numbers. 

37. Apparatus as claimed In claim 33 Including means for storing Ihe modulus n and the k numbers 
v. ,....v k In a public key directory. 

■ m 38. Apparatus as claimed In claim 33 Including means for transmitting the modulus n and the k 
numbers vi v» from Ihe entity to the verifier along with a trusted center's signature on this public key. 
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39. Apparatus as claimed In claim 35 including means for storing the modulus n in a public key 
directory. 

40. Apparatus as claimed In claim 35 Including means for transmitting the modulus n from the entity to 
the verifier along with a trusted center's signature on this public key. 

s 41. Apparatus as claimed In claim 33 wherein d'i2 w . 

42. Apparatus as claimed In claim 33 wherein d Is either 2 or 3. 

43. Apparatus as claimed in claim 33 wherein k Is at least 20. 

44. Apparatus as claimed in claim 33 wherein n Is at least 512 bits long. 

45. Apparatus as claimed in claim 33 wherein the secret key 3i..„.s k Is chosen first and each v, Is then 
to computed as 



(mod n) . 



46. Apparatus as claimed in claim 45 wherein all the entitles use the same modulus n which is chosen 
by a trusted center that keeps Its factorization secret 

47. Apparatus as claimed In claim 45 wherein the sj are chosen as random b bit numbers with b<|n| end 
s^n for alMSJSk. 

48. Apparatus for generating a signature lor a message m comprising 

a) means for establishing a public key for the entity consisting of a modulus n which Is the product of 
at least two prime numbers, and a sequence of k numbers v t v k ; 

b) means for computing a private key for the entity consisting of k numbers si s» satisfying s/K/j =» 1 

(mod n) (or all 1SjSk. where d is a universally known constant larger than 1; 

c) means for agreeing on a common cryptographically strong pseudo random tunctJon f which maps 
Its Inputs into a sequence of k numbers e»ei e h In the range OSe^d; 

d) moans for choosing a random number r in the range 0< r < n and computing a = f (/• (mod n), m); 
. e) means for computing 

< 

y=r TT6^ e j (mod n) ; 

f) means for transmitting or storing e and y as the entity's signature on m. 

49. Apparatus for verifying a signature e.y for a message m comprising 
a) means for computing 



f f y d ^Vj e j (nod n) , l 
^ fa 



b) means for accepting the signature as valid If end only If these values are equal to e. 

30. Apparatus as claimed In claim 48 wherein tfcl random numbers n r, are chosen In the range 0 < 

r,<n. e = e} ej numbers in the range 0 S e | < ' are computed as e = f (rl (mod n) rf (mod n), m). t 

so values yi y, are computed as 

k. > 
Yi^i'TT Sj e J (mod n) , 



and e. yi.....yi ere transmitted or stored as the entity's signature on m. 

51. Apparatus as claimed In claim 49 for verifying a signature e. y t y, generated by the apparatus of 

claim 50 for a message m In which the signature Is accepted as verified If, and only if, 

8 
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e=f (y/TT. 



(mod n) , 



(mod n) , n 



52. Apparatus as claimed in claim 50 wherein the Vj's are the .same for all the entities. 

53. Apparatus as claimed In claim 50 wherein the vj's are the first k prime numbers. 

54. Apparatus as claimed In claim 50 Including means for storing the modulus n and the k numbers 
v- ,...,v k in a public key directory. 

55. Apparatus as claimed in claim 50 Including means lor incorporating the modulus n. the k numbers 
v t . and a trusted center's signature on these values as part of the signature ol the message m. 

56. Apparatus as claimed In claim 52 Including means for storing the modulus n In a public key 
directory. 

57. Apparatus as claimed In claim 52 Including means for incorporating the modulus n and a trusted 
center's signature on it as part of the signature of the message m. 

5a Apparatus as claimed in claim 50 wherein d"S2««. 

59. Apparatus as claimed in claim 50 wherein d Is either 2 or 3. 

60. Apparatus as claimed in claim 50 wherein k Is at least 64. 

61. Apparatus as claimed In claim 50 wherein n Is at least 512 bits long. 

6£ Apparatus as claimed In claim SO wherein the secret key at.-.s fc Is chosen first and each v, Is then 
computed as 

Vj - 1 (aod n) . 

63. Apparatus as claimed in claim 62 wherein all the entities use the same modulus n which is chosen 
by a trusted center that keeps Its factorization secret 

64. Apparatus as claimed in claim 62 wherein the Sj ere chosen as random b bit numbers with b < |n| 
and Sj*>n for all 1515k. 



1/11/2005. EAST Version: 2.0.1.4 



Neu eingereic'nt / New 
NouvellBment depc 



EP 0 325 238 A2 



d IS AUNIVERSALLY 
KNOWN CONSTANT. 



PUBLIC KEY 
0. MODULUS'* 

b. sEoueNCEOFkNUMaE«sv„...,v K 



SELECT RANDOM y 
IN RANGE 0<r<Tl, 



— • COMPUTE X = rd {-rnod+1,) 



PRIVATE KEY 

NUMBERS Sv—Sk SATISFYING 

sjdvisK-mocfrOFOR ALU 



• COMPUTE Ai-rTr s] *^ (-marffi) 

ZT^ 



FIG. \ 



20 



IE 



SELECT K RANDOM NUMBERS 

e ( C^IN THE RANGE 

0$=Cj<d 



RECEIVE Y 




40 — 




48 


compute ^ TTvj e j (rmod-n) 


44-^ 


^42 


COMPARE X ANO 

J'l 






1/11/2005. EAST Version: 2. 0. 1.4 



EP 0 325 238 A2 



Neu eingereioht / N 
Nouvellgment tii 



GIVEN: A MESSAGE i 



PUBLIC KEY 
O. MODULUS 

b. SEQUENCE OF k NUMBERS 



70 



PUBLICLY KNOWN PSEUOO RANOOM FUNCTION f 
WHICH MAPS ITS INPUTS INTO A SEQUENCE 
OFfc NUMBERS i = e,....e)( IN THE RANGE 
0<s9j<d ^ 



SELECT RANOOM r IN RANGE 0<n<7t»ANO 
COMPUTE 8 sf [rd [mwi*!, -*ri] 



computers r Jfsj e j {-med-m) 



FIG. 2 




1/11/2005, EAST Version: 2.0.1.4 



